CIOZone.com - Professional Network for CIOs and IT Professionals

SOMETHING TO FEAR

There are good reasons why companies are turning to increasingly sophisticated monitoring tools. Some studies, such as one conducted in 2006 by the F.B.I., suggest as much as 70 percent of attacks originate from within an organization.

Not only that, but the definition of what constitutes and insider has changed. Companies now open up their corporate networks to a wide range of suppliers, consultants and customers, and that in turn opens up new avenues for security breaches and data leakage.

Consider some of the higher profile network security breaches of the past year:

• Oracle sued rival SAP in March, alleging that employees of an SAP operating unit called TomorrowNow, based in Bryan Texas, stole proprietary information from Oracle's network. In its suit Oracle claims that TomorrowNow employees used "the log-in credentials of Oracle customers with expired or soon-to-expire support rights," and then "accessed and copied thousands of individual software and support materials." Oracle alleges SAP then used the materials to offer "cut-rate" support deals to Oracle clients. In a statement, SAP responded to the suit by saying TomorrowNow was authorized to download materials from Oracle's Web site on behalf of TomorrowNow customers. It says it will defend the lawsuits in hearings expected to resume in U.S. District Court in San Francisco early this year.


• Formula One racing team McLaren Group was fined $100 million last September and excluded from the 2007 Constructors' Championship, after it was revealed a former Ferrari employee took designs for special gases with him when he defected to McLaren. Ferrari was able to finger the culprit because it had deployed software from Verdasys of Waltham, Mass. which allows it to track individuals that access certain files.


• WestJet Airlines, a Canadian discount airline, was forced to issue an apology in May 2006 to rival Air Canada and pay a $15.5 million penalty, after it admitted members of its management team accessed a password protected Air Canada employee Web site and downloaded competitive data. The WestJet employees used the Air Canada Web site to obtain detailed information on Air Canada flight loads.

Keith Rice, a vice president with the Threat Detection Engineering Group at Bank of America, notes that an insider may, in fact, be a partner working on critical application development overseas. "One thing we're running into now is we've outsourced a lot of development to India and other locations," says Rice. "We have very strict contractual rules in place, that state what they can do, what they cannot do, and what they must have installed on their networks. But that creates whole new issues for us."

"It's a constant battle," adds Bruce Valentine, senior vice president in treasury management at Comerica Bank. Valentine is responsible for ensuring the security of the bank's e-commerce and other customer facing applications. "We have what everyone wants - money. And data is the key to that money," says Valentine. In today's competitive banking environment, you have to open up your networks to customers, says Valentine, but that means you have to put systems in place to manage the risk.

Keith Carter, executive director of materials management systems with Estée Lauder, agrees that companies have to accept a certain amount of risk or trust when dealing with partners and suppliers. But, he says, that doesn't mean blind trust. He shared a recent example of data leakage at a security conference in Palo Alto in November. Estée Lauder had designed a counter poster display it wanted to use in stores with its Bobbi Brown cosmetic line. "One of our competitors came out with it a month earlier, because the photographer, in this case, showed it to the competitor as a sample [of their work]. We couldn't use it any longer, because we didn't want to look like we were the ones who copied the idea," says Carter.

In this case, the company ended its relationship with the photographer, but Carter says the incident demonstrates how easily competitive data can leak out of an organization without proper controls in place. It also demonstrates the kind of analysis companies need to perform to determine what types of data or files need to be protected.